Now available in conjunction with checkmarx software composition analysis (SCA), the solution restores trust in modern application development while allowing developers to accept open source code
Shanghai, China, March 29, 2022 – (ACN Newswire) – checkmarx, the global leader in developer centric application security testing (AST) solutions, today announced the launch of checkmarx supply chain security checkmarx supply chain security solutions to identify suspicious and potentially malicious open source packages in the life cycle of modern application development.
According to Gartner ®［ I] said, “by 2025, 60% of organizations will strengthen their software delivery pipeline to prevent supply chain security attacks.”
“Attackers are turning their attention to the software supply chain by abusing the open source software ecosystem, which has traditionally been trusted by the global developer community,” said Emmanuel benzaquin, chief executive of checkmarx “Checkmarx is taking a developer first approach to detecting supply chain attacks in code packages, using a set of threat intelligence, behavioral intelligence and machine learning models.”
Research on supply chain security and ideological leadership
In the past few months, the checkmarx security research team has identified hundreds of malicious open source packages. Checkmarx blog provides research articles highlighting three main types – dependency confusion, domain name counterfeiting and chain robbery. An additional report highlighting three emerging trends in malicious open source packages is provided here.
Checkmarx supply chain security cooperates with checkmarx software portfolio analysis (SCA) to identify health and safety anomalies of open source projects, analyze the reputation of contributors, and directly inquire about the behavior of packages through indoor analysis. The result is a full range of software supply chain insight and analysis, bridging a major gap in organizational application security.
“At present, the solutions in the market are passive. They rely on community feedback to detect vulnerable code and analyze the code, rather than the people behind it,” said tzachi zorenstein, head of supply chain security at checkmarx “Checkmarx’s supply chain security solution is based on the principle of ‘don’t get code from strangers’, but refer to our reputation database, which is like the credit scoring system of code contributors. Our goal is to support the rapid application development of enterprises while maintaining the trust of customers.”
Comprehensive supply chain security for modern application development
Checkmarx supply chain security enables organizations to safely and reliably use open source software to accelerate modern application development through a set of key functions:
Health and wellness and software bill of materials (SBOM): provide open source software packages and community knowledge, and create them in combination with SBOM.
Malicious packet detection: detect dependency confusion, domain name counterfeiting, chain hijacking and other malicious activities and packets.
Contributor reputation: there is no need to manually analyze contributor activities in all projects that may affect the organization, so as to restore trust in the source of open source packages.
Behavior analysis: combine static and dynamic analysis to observe the operation of the code. Checkmarx supply chain security detonation room provides in-depth analysis of code packages and disambiguation to prevent hidden threats.
Continuous result processing: provide continuous updates of checkmarx security research and threat search, and maintain reputation and vulnerability database for customers.